Appendix B: Best Practices for access policies

Appendix C: Best Practices for network security
Steve riley,microsoft Communications Industry Solutions Group Consulting Practice

August 7, 2000

This essay discusses the best solution for network design and security. Although there are many ways to design and secure the network, only some methods and steps are favored by many people in the industry.

Filter routers-First line of defense
You should use a filter router to protect any Internet-facing firewalls. This router has only two interfaces: one is connected to the Internet and the other is connected to an external firewall (or, if necessary, a load-balanced firewall cluster). Nearly 90% of all attacks involve IP address theft, or change the source address to make the packet look like it came from the internal network. There is no reason for incoming packets to come from an internal network. In addition, because the security of a network usually depends on the security of the network you are connected to, it is best to prevent your network from being used as a source of fake packets. Filtering routers is an ideal way to achieve these goals.

The filtering router should be configured as "Allow all except", "which is specifically denied" (allow all traffic other than a special rejection) state. In this way, the ACL performs the following actions:

Defines an entry filter that rejects incoming traffic for any source address that is an internal network address.
Defines an out-of-office filter that rejects outgoing traffic from a source address that is not an internal network.
Rejects all incoming or outgoing traffic from the source or destination addresses in any private address range identified in RFC 1918.
All other incoming and outgoing traffic is allowed.
This can prevent most attacks because stealing an internal address is almost a basic condition for all attacks. Configure the firewall behind the filtering router as "deny all except this which is specifically allowed" (denies all traffic except special permission) status.

(This part of the information is based on RFC 2267, "Network ingress filtering:defeating denial of service attacks which IP source address employ G ", January 1998. ）

For environments with high availability requirements, you can use two filter routers and connect the two to a pair of firewall load balancing devices.

Firewalls-tiered protection
The typical demilitarized zone (DMZ) has two firewalls. The external firewall is configured to allow only the communication required to connect between the Internet and the DMZ. The internal firewall is configured to protect the internal network from the DMZ-DMZ the untrusted network, so it is necessary to protect the internal network.

What is a DMZ? Look at the only political DMZ in the world: the region between the two Koreas. The DMZ is determined by its protection boundary-in this case, two geographical boundaries, respectively, are monitored and protected by separate protection entities. The DMZ in the network is very similar to this: A separate network segment is connected to (usually) two other networks through a separate physical firewall.

DMZ and shielding subnet. A common approach is to use a single physical firewall with multiple interfaces. One interface is connected to the Internet, the second interface is connected to the internal network, and the third interface is connected to the area commonly known as the DMZ. This architecture is not a real DMZ, because a single device is responsible for multiple protected areas. The exact name of this scheme is the screened subnet. Screened subnets have a serious flaw-a single attack can damage the entire network because all network segments are connected to the firewall.

The advantages of the DMZ. Why deploy the DMZ? Cyber attacks are increasing-some are just for fun, show off their pranks, and some are serious, purposeful corporate espionage and sabotage. An effective security architecture is a barrier to attack, and the structure has the ability to adjust. The true DMZ architecture has the following advantages:

Has a targeted security policy. Each firewall enforces a policy corresponding to the protected object.
Deep defense. When security is compromised, multiple physical components of the device provide more time for the security administrator to respond. This is the single and most important reason why you should deploy a real DMZ rather than a screened subnet.
Improve performance. The responsibility for communication checks between the two devices is separate, and each specific protected area is configured with a single device.
Scalability. You can extend the firewall as needed-the external firewall typically has a much higher load to handle than the internal firewall. Technologies like Radware's fireproof can balance loads across firewall farms.
Eliminate the point of failure. To achieve high availability, you should deploy at least a pair of firewall load balancers that are fully applicable to a pair of firewalls. This allows the firewall to exactly match the DMZ core switch.

Firewall type
There are currently three types of firewalls:

Basic packet filters.
The Status detection packet filter.
The application agent.
Basic packet filters. It is not uncommon to have simple packet filtering as a firewall because almost all routers can perform this function. Packet filtering simply compares the ports, protocols, and addresses of outgoing and incoming packets according to a set of rules. Data packets that do not conform to the rule are terminated by the firewall. Basic packet filtering provides little security because many types of attacks can easily bypass it.

The Status detection packet filter. These firewalls examine the process in addition to individual packets. The status check engine tracks the startup of each connection and ensures that all traffic corresponding to a previously logged-on connection is initiated. Unsolicited packets that comply with firewall rules but cannot be mapped to any connection will be terminated. Stateful inspection is more secure than basic packet filtering, but it is likely to be attacked by an intrusion that can be enabled through a firewall-usable protocol, such as HTTP. Neither type of packet filter can parse the contents of any packet. In addition, both types of packet-filtering firewalls cannot reassemble fragmented packets before they are calculated according to the rule set. As a result, certain types of attacks can be successfully delivered using highly skilled packet fragments.

The application agent. Application agents provide the highest level of security. The connection does not pass through the proxy, and the incoming connection is truncated at the agent, and the proxy implements the connection to the target server. The application agent checks the payload and determines whether it conforms to the protocol. For example, a normal HTTP request has a certain characteristic. Attacks that pass through HTTP will have access to these features (most notably, traffic passed over HTTP requests have too much incoming information) and will be terminated. Application proxies are also vulnerable to fragmentation attacks. Because of the load imposed on the application agent, it is the slowest in the three types of firewall technology.

So what is the best technology? The answer depends on the level of security you need. Some stateful inspection firewalls are starting to join the application agent function; Checkpoint's Firewall-1 is such an example.

host-based firewall protection. Thorough defense should be the design goal of any security plan. Filter routers and traditional DMZ provide three-tier protection, which is usually sufficient to protect most network services. For a highly secure environment, a host-based firewall provides another layer of protection. A host-based firewall allows the security administrator to determine a detailed security policy so that the server's IP stack is open only to the ports and protocols required by the application on that server. Some host-based firewalls also implement outgoing protection to help ensure that one damaged machine does not affect other machines on the same network. Of course, host-based firewalls do add to the burden of common system management. Consider adding host-based protection only to servers that contain critical data.

DMZ architecture-Security and performance
Another common type of attack is to pry packets from the line. Although there are recent anti-prying tools (which may often be unreliable), a network built with a simple hub is vulnerable to this attack. (and anti-spying tools can also make it an important issue.) The use of switches to replace hubs eliminates this vulnerability. In a shared media network (a network built with hubs), all of the devices can see all the traffic. Typically, the network interface does not process data frames that are not sent to it. The interface of the promiscuous mode will upload the contents of each frame up to the computer's protocol stack. This information may be of great value to an attacker who has a protocol analyzer.

Switching networks can actually prevent this from happening. The network interface of any machine in a switched network will see only those frames that are specifically sent to the interface. Promiscuous mode is no different here because the NIC does not recognize any other network traffic. The only known way for an attacker to pry into a switched network is if an attacker destroys the switch itself and changes its operation so that the switch is at least one port full of all traffic. Destroying the switch is difficult and will soon be discovered by the network administrator.

Switching networks also eliminates the need to use a dual-host DMZ server. Dual hosts do not provide additional protection, and additional NICs do not prevent attacks from damaged computers. However, it may be more appropriate to use two NICs in situations where high availability or high performance is required.

Eliminate the point of failure. It is necessary to use two NICs in an environment where high availability is required. A practical design is to include two switches in the core and two NICs per server. One NIC is connected to one switch and the other NIC is connected to another switch.

What is the status of the internal network? For the same reason, internal networks should also be built with switches. If high availability is required, follow the same principles in the DMZ.

Cluster interconnection. Use hubs to connect all clusters, both in the DMZ and in the internal network. Bridging cables are not recommended by Microsoft because they do not provide the electronic signals required to ensure that media-sensitive operations are working properly.

A more secure option for ipsec-to trust the DMZ
If all servers are running Windows 2000, you should use Internet Protocol security (IPSEC) to secure all communication between the DMZ and the internal network. IPSEC provides the following features:

Authentication. You can determine such a strategy so that only computers that need to communicate with each other can communicate with each other.
Encryption. Intruders who have invaded the DMZ cannot interpret or interpret the communication in the internal network.
Protection. IPSEC protects the network against replay attacks, human intervention attacks, and attacks through standard protocols such as ICMP or HTTP (these attacks are through the Basic Firewall and stateful inspection packet filter firewalls).
When IPSec is enabled, internal firewalls must allow only IPSec, IKE, Kerberos, and DNS traffic, which further strengthens the security of the internal network. There are no other vulnerabilities in the internal firewall. For standard firewall rules that are vulnerable to a variety of applications, an intruder can determine the policy of a firewall by firewalk such a tool, while encapsulating all traffic in IPSEC and using only that protocol, hide the implementation details that might be useful to an attacker (but see also the "possible security implications" below). The following table lists the services that should be opened in the firewall: services
Position
Description

Domain

Ports 53/tcp and 53/UDP

Domain Name Service


Kerberos

Ports 88/tcp and 88/UDP

Kerberos V.5 Authentication


Isakmp

Port 500/UDP

Internet Key Exchange


Esp

Agreement 50

Secure payload for IPSEC encapsulation


Ah

Agreement 51

Headers for IPSEC authentication




Note that no certificate authorization is required, and the IPSEC policy will use Kerberos (the native Windows 2000 authentication mechanism) as the basis for establishing an IKE main mode security association.

Possible security implications. As mentioned earlier, communication between the DMZ and the internal network is not possible to check for communication in the internal firewall after encryption. Not all network or security administrators are satisfied with this approach. ESP encryption provides an encapsulated path into the internal network, which can be exploited once a DMZ machine is compromised. Using IPSec AH instead of ESP will make the simpler firewall configuration display its advantages, while the AH packet payload is not encrypted and can be checked for traffic.

Intrusion detection-an early warning system
Intrusion detection systems are becoming a necessary component of any network connected to the Internet. Although it can not replace the firewall detailed uninterrupted check and server log, but the intrusion detection system can identify the potential intrusion early, to provide you with more time to take appropriate measures to the accident. Please install the intrusion detection system in the DMZ.

Intrusion detection systems and antivirus utilities are similar, and they all alert administrators when they detect something they recognize. Intrusion detection systems contain an attack feature database, but not all intrusion detection systems can identify different types of attacks or keep up to date (each IDS vendor treats their feature databases and update mechanisms as trade secrets). There are two types of monitoring systems that are noteworthy: RealSecure by Internet Security Systems (http://www.iss.net) and network Flight Recorder (http://www.nf r.net).

host-based intrusion detection. Most intrusion detection systems work at the network level, alerting administrators when the network is compromised. Recently, a new type of intrusion detection system has emerged: host-based intrusion detection system. These tools themselves run on the server and alert administrators when a particular computer is compromised. This alert mechanism is especially important for computers that contain important operational data, such as back-end database servers.

Combining network-based intrusion detection systems with host-based intrusion detection systems and allowing trained security professionals to regularly check system logs is the most effective way to protect the network, gather evidence, and handle security incidents.

dns-ensure customers get to the right place
Common DNS implementations, including implementations as shown in the figure, are called split DNS implementations. External servers are used to troubleshoot the Internet's query of computers in the DMZ and to troubleshoot the DMZ computer's queries against other DMZ computers. Internal servers are used to resolve internal network queries on internal computers, and queries to computers in the DMZ or on the Internet are forwarded to external servers. However, splitting DNS does not protect the DNS cache from attacks.

In the violation of the DNS cache, an attacker can disrupt the DNS cache of another network. When the victim attempts to determine the address in the compromised network, the cache returns the invalid information that the attacker put in the cache. Usually the attackers do this to redirect the victim to the attacker's computer.

The most secure DNS implementation is called split-split DNS implementation. There are two DNS servers in the DMZ. A server, such as dmzdns-in, only accepts incoming queries to computers in the DMZ-and accepts only queries from computers on the Internet. Another server, such as Dmzdns-out, only allows you to resolve outgoing queries to the Internet, as well as queries from the DMZ computer for other DMZ computers. Dmzdns-in is the primary DNS server for the DNS zone in the DMZ, Dmzdns-out is a secondary DNS server that uses IPSEC for zone transfers. The DNS server in the internal network is only the primary DNS server for the internal network and forwards requests to the DMZ or the Internet to Dmzdns-out. This eliminates the condition of making the network vulnerable to attacks on DNS cache attacks.

DNS queries from the Internet cannot reach the internal network through the DMZ to get answers. Some recent attacks use DNS to pass their payload. There is no need for users on the Internet to query servers on the internal network.

Eliminate the point of failure. In a highly available environment, simply multiply the number of DNS servers.

Hardware load balancing-keeping the server in optimal performance
Windows Advanced Server includes a feature called Network Load Balancing Services or NLBS. NLBS provides a way for Web site administrators to perform server load assignment on the same configured server farm. NLBS is very useful for applications that do not require complex state maintenance or performance monitoring. However, for applications that require these tasks, you should select hardware load balancing. These devices are sometimes referred to as layer 7th switches.

Such devices as the BIGIP Content Switch (unofficially recognized in the industry as one of the best products in the F5 Network) work on the 2nd to 7th layers of the OSI model. BIGIP Content Switch detects the state and operation of the application, providing load balancing and true fault tolerance between WEB servers. To eliminate any single point of failure, you need to use two load balancing devices that exactly match all WEB servers. F5 also provides a BIGIP Content Switch version that supports the Encryption Sockets Layer (SSL). The SSL session terminates in the BIGIP SSL accelerator and determines which WEB server is performing the work. BIGIP Accelerator the following actions:

Uninstall the WEB server's SSL processing to improve its performance.
Centrally manage certificates. Install the certificate on the SSL Accelerator, not on each WEB server. It also enables synchronization of certificates between multiple BIGIP controllers.
Enable HTTP Host headers.
Troubleshoot the AOL client IP address sharing issue.
Eliminate the point of failure. If the goal is just to balance the load on the server, a load-balancing device is sufficient. However, to provide true fault tolerance, you need multiple devices that are configured to match exactly.

Storage Area Network-centralized storage of the internal network
Storage Area Network technology is already very mature, as long as it is equipped with large storage capacity of the place can be used. Sans move storage from a general-purpose server to a high-speed network specifically designed to transmit large amounts of data. This helps:

Optimizes server cabinet space by moving the disk array out of the cabinet.
Increase the security of your data by storing it in a separate network that is not susceptible to the type of attack that is currently known.
Provides backups that are not constrained by a LAN by reserving a communication backup outside the data network.
Initially, the Fibre Channel arbitrated Loop (Fc-al) was used to build the SAN. Newer Fibre Channel switches provide a higher level of throughput and allow administrators to design sans with no single point of failure.

The switched Fibre Channel SAN includes at least:

Two FC switches at the core interconnected.
Several switches located on the periphery-each LAN has a SAN-attached switch. Each peripheral switch is connected to two core switches.
The FC interface in each server is connected to its local SAN switch.
The SAN disk cluster has one switch connected to two core switches.
A switch in a SAN backup device that is connected to two core switches.
Eliminate the point of failure. Multiply all devices beyond the core: use two Fibre Channel adapters per server, two peripheral switches per LAN, two peripheral switches for SAN disk clusters, and two peripheral switches for SAN backup devices. Always connect two peripheral switches to two core switches.

What about network-attached storage? The NAS store Exchange files are not supported by Microsoft. Exchange requires that all files be saved on the local device. Exchange works well on fibre-attached SAN devices, which represent Windows 2000 as local devices.

©2000 Microsoft Corporation. All rights reserved.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed at the date of release. Because Microsoft must comply with changing market conditions, the document should not be understood as a commitment by the Microsoft side, and Microsoft does not guarantee the accuracy of the information given after the date of release.

This document is for informational purposes only. MICROSOFT does not make any warranties, express or implied, in this document.

Microsoft, BackOffice, MS-DOS, Outlook, PivotTable, PowerPoint, Microsoft Press, Visual Basic, Windows, Windows NT, and Office The logo is a registered trademark or trademark of Microsoft in the United States and/or other countries (or regions).